Rosenthal, Personal Data without Identifiability?, digma 4/2017

David Rosenthal, in the just published issue 4/2017 of the digma [Swisslex] wrote an essay on the topic of “singularization”, i.e. on the question of whether it is sufficient for the identifiability of a person if this person cannot be identified but can be distinguished from all other persons by a unique date. This question is in the light of all of Art. 4 No. 1 GDPR, according to which any information is considered to be a “personal data” which

in particular by means of Assignment to an identifier such as […] an identification number […] or to one or more particular characteristics expressing the […] identity […].

Recital 26 states in this regard that, in assessing the reference to persons

alle Mittel berücksichtigt werden [shall], die von dem Verantwortlichen […] wahrscheinlich genutzt werden, um die natürliche Person direkt oder indirekt zu identifizieren, such as the sorting out.

Therefore, the question arises whether singling out – i.e., singularizing – is sufficient for establishing the person reference. Rosenthal comes to the following conclusion:

The concept of personal data has not changed with the GDPR. The “relative” approach still applies, which is based on whether or not the person who has access to certain data can identify the persons affected by it. This also applies in the EU, where the ECJ recently confirmed this with its decision regarding IP addresses. The concept of “singularization” does not change this. A data record singularizes a person if, like a fingerprint, it is so specific that it can only refer to him or her, even if it is not known who is involved. Such as with genetic data. The GDPR mentions singularization as an indication of identifiability, but it alone is not sufficient. For this purpose, the article presents the “Reference data test”: According to this, personal data exists if there is a connection between the a match can be made between the data in question and data records of a single, real person already available or accessible to the processor. Genetic data and IP addresses are therefore never per se personal data.

David Vasella

21 December 2017

Deutsch

Authority

Area

Privacy

Topics

Personal data, Singularization

common search words

Topics

Rosenthal, Personal Data without Identifiability?, digma 4/2017

ECJ in the case of IAB Europe: broad interpretation of the concept of personal data: connection based on the purpose is sufficient; joint responsibility of IAB with the members

VG Berlin: Unreasonable information about video recordings; personal reference of the recordings (left open)

ECJ in the case of Scania (Case C‑319/22): relative approach to determining identifiability

ECJ i.S. CRIF (C‑487/21): Scope of the right to copy personal data

com­mon search words

Topics

Rosen­thal, Per­so­nal Data wit­hout Iden­ti­fia­bi­li­ty?, dig­ma 4/2017

ECJ in the case of IAB Euro­pe: broad inter­pre­ta­ti­on of the con­cept of per­so­nal data: con­nec­tion based on the pur­po­se is suf­fi­ci­ent; joint respon­si­bi­li­ty of IAB with the members

VG Ber­lin: Unre­a­sonable infor­ma­ti­on about video recor­dings; per­so­nal refe­rence of the recor­dings (left open)

ECJ in the case of Sca­nia (Case C‑319/22): rela­ti­ve approach to deter­mi­ning identifiability

ECJ i.S. CRIF (C‑487/21): Scope of the right to copy per­so­nal data

common search words

Rosenthal, Personal Data without Identifiability?, digma 4/2017

ECJ in the case of IAB Europe: broad interpretation of the concept of personal data: connection based on the purpose is sufficient; joint responsibility of IAB with the members

VG Berlin: Unreasonable information about video recordings; personal reference of the recordings (left open)

ECJ in the case of Scania (Case C‑319/22): relative approach to determining identifiability

ECJ i.S. CRIF (C‑487/21): Scope of the right to copy personal data